User authentication is a fundamental aspect of modern computer use. Authentication enables computer systems to recognize specific users through a shared secret or other jointly recognized mechanism. User authentication can take the form of a simple username and secret password or involve more complex methods of identity involving varying factors (e.g., biometrics, fingerprint scans, etc.). Within enterprise computer environments, users often authenticate to many computer systems and applications throughout the network. In this environment, authentication activities are often provided by a unified network authentication mechanism. This network authentication capability and its encompassing centralized account management are a mainstay of modern information technology (IT) administration. Without it, significant challenges would exist to manage accounts and authentication credentials across large numbers of individual systems.
Centralized management and authentication is considered both a best practice and an expectation in the IT infrastructure of most large organizations. Because network authentication events are generated for many activities, including access to applications and information of importance to an organization, these events provide significant insight into the behavior of the authenticating users. In addition, because this user authentication activity implies directional relationships between computers within an enterprise network, they can be represented as directed graphs or digraphs. These user authentication graphs provide a useful representation, enabling a platform for behavioral analytics based on a variety of induced graph attributes.
FIG. 1 illustrates two login events 100 and an induced directional graph 110. Two example log messages 102, 104 for a user U1 where computer access was granted are shown—one for computer IP address 192.168.0.1 (i.e., computer C1) accessing computer C2 and another for the same IP address accessing computer C3. Induced directional graph 110 from log messages 102, 104 is also shown.
However, while it is possible to represent user behavior with graphs, there is currently no effective way to differentiate between authorized users and unauthorized, potentially malicious, users (also referred to as “intruders” herein) in a network based solely on authentication events. There is also currently no effective way to detect inappropriate, potentially malicious, authentication behavior by otherwise authorized users. Accordingly, applying user graphical analysis to engender solutions to these two problems may be beneficial.